As a W3C member, Ping Identity is thrilled that the W3C Web Authentication Working Group has published the WebAuthn specification as a W3C Recommendation, an important milestone towards a safer Internet.
For those who are unfamiliar with W3C terminology, a W3C Recommendation is the final step in the W3C standards development process. This means that WebAuthn is now a web standard.
This now-official standard is one of the most impactful to come along in quite some time, and it promises to overhaul the way we authenticate online.
Making Use of Built-in Authenticators
Previous to the WebAuthn standard, web applications running in browsers had no platform- or device-independent way to discover, validate and use either built-in authenticators such as fingerprint readers or external authenticators such as YubiKeys.
With this new standard, any web application running in a browser that supports WebAuthn can now take advantage of these authenticators to securely authenticate users.
We expect this milestone to accelerate the adoption of WebAuthn, and authenticator providers can now ensure that their authenticators will be available to an enormous variety of applications. WebAuthn is already supported by stable releases of Chrome, Firefox and Edge, and is available as an experimental feature in Desktop Safari.
Foiling Phishing Attacks
Another important aspect of the standard is that it is highly resistant to phishing attacks. This is achieved through users explicitly registering the authenticators they wish to use with a given application. The authenticator creates a unique public key for use by that relying party bound to their web domain. For subsequent authentication attempts, the origin of the authentication request is checked against the origin that was originally used during the registration process. If the two do not match, the authentication request is denied and the user can be alerted to the likely phishing attack.
The exchange of keys also means that the relying party can be confident that whoever answered the authentication challenge was in fact the same authenticator that the user registered.
Ping Identity is actively supporting FIDO2 authenticators in our PingID MFA product. This is the first WebAuthn-based use case of many others that will follow. When using PingID’s multi-factor authentication (MFA), FIDO2-compliant security keys can be enabled so that users are able to pair those keys as an authenticating device, similar to other PingID devices.
Once again, kudos to W3C, and we look forward to a long and fruitful relationship as we continue to support and contribute to the important standards work they are responsible for.
If you are interested in finding out more about WebAuthn, FIDO2, CTAP and how they all tie together, my CTO team colleague David Waite will be publishing a much more in-depth white paper in the near future. In the meantime, visit our website to learn more about Ping Identity’s support for open standards.